I'm a bit new to coding backend services. And I'm not sure how to solve this problem.

So users in an iOS app can be authenticated with Cognito and afterwards gain the rights to invoke lambda functions that connect to an RDS Database, that RDS database pulls that users information or updates it upon request.

The lambda function will search for a primary key i.e. a unique username to query the data. If a hacker were to use a MITM attack to get their unique username, what could stop them from putting that in locally so when the lambda function is invoked it queries for the victim's data instead of their own?

I'm familiar with public/private key pairs as an option. However, my other concern is if they still somehow knew the other users primary key and could just enter that locally have it encrypted and sent to the server.